System, method, and computer program product for encrypting sensitive data using a field programmable gate array

ABSTRACT

Provided is a system including at least one host application processor and at least one field programmable gate array (FPGA) device coupled to the at least one host application processor via a communication bus, the at least one host application processor is programmed or configured to receive a transaction data record comprising transaction data associated with a payment transaction, transmit the transaction data record to the at least one FPGA device via the communication bus, and receive an encrypted transaction data record from the at least one FPGA device via the communication bus, wherein one or more data fields of the transaction data record are encrypted to generate the encrypted transaction data record. A method and computer program product are also provided.

BACKGROUND 1. Field

This disclosure relates generally to encryption of sensitive data and,in some non-limiting aspects or embodiments, to systems, methods, andcomputer program products for encrypting sensitive data using a fieldprogrammable gate array (FPGA) device.

2. Technical Considerations

A central processing unit (CPU), such as a central processor or mainprocessor, may include the electronic circuitry within a computingdevice that executes instructions that make up a computer program. TheCPU may perform basic operations, such as arithmetic, logic, control,and input/output (I/O) operations specified by the instructions. Theprincipal components of a CPU may include an arithmetic logic unit (ALU)that performs arithmetic and logic operations, processor registers thatsupply operands to the ALU and store the results of ALU operations, anda control unit that orchestrates retrieval (e.g., fetching) andexecution of instructions by directing the coordinated operations of theALU, registers, and/or other components. In some examples, a CPU mayinclude a microprocessor. In such an example, the CPU may be containedon a single metal-oxide-semiconductor (MOS) integrated circuit (IC)chip. An IC that contains a CPU may also contain memory, peripheralinterfaces, and/or other components of a computing device. Suchintegrated devices may be referred to as systems on a chip (SoC).

In some instances, a computing, extract, transform, load (ETL) processmay refer to a general procedure that involves copying data from one ormore source systems into a destination system that represents the datadifferently from how the data is represented in the one or more sourcesystems or in a different context from the context of the data in theone or more source systems. As the name implies, an ETL process mayinvolve data extraction, data transformation, and data loading. Dataextraction may involve extracting data (e.g., a dataset) from ahomogeneous source and/or a heterogeneous source. Data transformationmay involve processing the data by performing data cleansing operationsand transforming the data into a proper storage format and/or structurefor later use (e.g., for querying and/or analysis). Lastly, data loadingmay involve the insertion of the data into a final target data storagelocation, such as an operational data store, a data mart, a data lake,or a data warehouse.

In some instances, a host computing device with a CPU may perform an ETLprocess on data and during the ETL process, some of the data may need tobe encrypted by the host computing device. In such an example, the hostcomputing device may request and receive an encryption key and/or adecryption key from a separate (e.g., remote) computing device. However,the encryption key and/or decryption key may be vulnerable to detectionwhen the encryption key and/or decryption key is transmitted by theseparate computing device to the host computing device over acommunication network. In addition, during the ETL process, the hostcomputing device may only be able to parse the data in serial processbased on the CPU.

SUMMARY

Disclosed are systems, methods, and computer program products forencrypting sensitive data using a field programmable gate array (FPGA)device.

According to some non-limiting embodiments or aspects, provided is asystem, comprising: at least one host application processor; at leastone FPGA device coupled to the at least one host application processorvia a communication bus; wherein the at least one host applicationprocessor is programmed or configured to: receive a transaction datarecord comprising transaction data associated with a paymenttransaction; transmit the transaction data record to the at least oneFPGA device via the communication bus; and receive an encryptedtransaction data record from the at least one FPGA device via thecommunication bus, wherein one or more data fields of the transactiondata record are encrypted to generate the encrypted transaction datarecord.

According to some non-limiting embodiments or aspects, provided is acomputer-implemented method, comprising: receiving, with at least oneprocessor of a computing device, a transaction data record comprisingtransaction data associated with a payment transaction; transmitting,with at least one processor of the computing device, the transactiondata record to a FPGA device of the computing device; and receiving,with at least one processor of the computing device, the encryptedtransaction data record from the FPGA device of the computing device,wherein one or more data fields of the transaction data record areencrypted to generate the encrypted transaction data record.

According to some non-limiting embodiments or aspects, provided is acomputer program product, comprising at least one non-transitorycomputer-readable medium including one or more instructions that, whenexecuted by at least one processor, cause the at least one processor to:receive a transaction data record comprising transaction data associatedwith a payment transaction; transmit the transaction data record to aFPGA device of a computing device; select a data record template fromamong a plurality of templates based on a format of the transaction datarecord; determine one or more data fields of the transaction data recordbased on the data record template; and receive an encrypted transactiondata record from the FPGA device, wherein data values included in theone or more data fields of the transaction data record are encryptedusing an encryption key stored in the FPGA device.

Further non-limiting aspects or embodiments are set forth in thefollowing numbered clauses:

Clause 1: A system, comprising: at least one host application processor;at least one field programmable gate array (FPGA) device coupled to theat least one host application processor via a communication bus; whereinthe at least one host application processor is programmed or configuredto: receive a transaction data record comprising transaction dataassociated with a payment transaction; transmit the transaction datarecord to the at least one FPGA device via the communication bus; andreceive an encrypted transaction data record from the at least one FPGAdevice via the communication bus, wherein one or more data fields of thetransaction data record are encrypted to generate the encryptedtransaction data record.

Clause 2: The system of clause 1, wherein the at least one FPGA device,when encrypting the one or more data fields of the transaction datarecord to generate the encrypted transaction data record, is configuredto: encrypt the one or more data fields of the transaction data recordusing an encryption key stored in read-only memory (ROM) of the at leastone FPGA device.

Clause 3: The system of clauses 1 or 2, wherein the at least one FPGAdevice, when encrypting the one or more data fields of the transactiondata record to generate the encrypted transaction data record, isconfigured to: select a data record template from among a plurality ofdata record templates based on a format of the transaction data record;determine the one or more data fields of the transaction data recordbased on the data record template; and encrypt data values included inthe one or more data fields of the transaction data record using anencryption key stored in the at least one FPGA device.

Clause 4: The system of any of clauses 1-3, wherein the at least onehost application processor is further programmed or configured to: storethe encrypted transaction data record in a database based on receivingthe encrypted transaction data record from the at least one FPGA device.

Clause 5: The system of any of clauses 1-4, wherein the at least onehost application processor is further programmed or configured to:receive a request for the transaction data record; retrieve theencrypted transaction data record from the database; transmit theencrypted transaction data record to the at least one FPGA device; andreceive a decrypted transaction data record from the at least one FPGAdevice, wherein one or more data fields of the encrypted transactiondata record are decrypted to generate the decrypted transaction datarecord.

Clause 6: The system of any of clauses 1-5, wherein the at least onehost application processor, when retrieving the encrypted transactiondata record from the database, is programmed or configured to: determinea data record identifier of the transaction data record from therequest; and retrieve the encrypted transaction data record from thedatabase based on the data record identifier.

Clause 7: The system of any of clauses 1-6, wherein the at least onehost application processor is further programmed or configured to:receive data associated with an encryption key; and update aconfiguration of the at least one FPGA device based on the dataassociated with the encryption key.

Clause 8: The system of any of clauses 1-7, wherein the at least oneFPGA device, when transmitting the transaction data record to the atleast one FPGA device, is programmed or configured to: transmit thetransaction data record to the at least one FPGA device via a peripheralcomponent interconnect express (PCIe) bus, and wherein the at least oneFPGA device, when receiving the encrypted transaction data record fromthe at least one FPGA device, is programmed or configured to: receivethe encrypted transaction data record from the FPGA device via a PCIebus.

Clause 9: A computer-implemented method, comprising: receiving, with atleast one processor of a computing device, a transaction data recordcomprising transaction data associated with a payment transaction;transmitting, with at least one processor of the computing device, thetransaction data record to a field programmable gate array (FPGA) deviceof the computing device; and receiving, with at least one processor ofthe computing device, the encrypted transaction data record from theFPGA device, wherein one or more data fields of the transaction datarecord are encrypted to generate the encrypted transaction data record.

Clause 10: The computer-implemented method of clause 9, whereinencrypting the one or more data fields of the transaction data recordcomprises: selecting a data record template from among a plurality oftemplates based on a format of the transaction data record; determiningthe one or more data fields of the transaction data record based on thedata record template; and encrypting data values included in the one ormore data fields of the transaction data record using an encryption keystored in the FPGA device.

Clause 11: The computer-implemented method of clauses 9 or 10, whereinthe one or more data fields are one or more first data fields of thetransaction data record and wherein encrypting the one or more firstdata fields of the transaction data record comprises: foregoingencrypting one or more second data fields of the transaction datarecord, wherein the one or more second fields of the transaction datarecord comprise one or more data fields reserved for non-confidentialdata.

Clause 12: The computer-implemented method of any of clauses 9-11,further comprising: storing the encrypted transaction data record in adatabase based on receiving the encrypted transaction data record fromthe FPGA device.

Clause 13: The computer-implemented method any of clauses 9-12, furthercomprising: receiving a request for the transaction data record;retrieving the encrypted transaction data record from the database;transmitting the encrypted transaction data record to the FPGA device;decrypting the one or more data fields of the encrypted transaction datarecord using a decryption key stored in the FPGA device to generate adecrypted transaction data record; and receiving the decryptedtransaction data record from the FPGA device.

Clause 14: The computer-implemented method any of clauses 9-13, whereinretrieving the encrypted transaction data record from the databasecomprises: determining a data record identifier from the request for thetransaction data record; and retrieving the encrypted transaction datarecord from the database based on the data record identifier.

Clause 15: The computer-implemented method any of clauses 9-14, furthercomprising: receiving data associated with an encryption key; andupdating a configuration of the FPGA device based on the data associatedwith the encryption key.

Clause 16: The computer-implemented method any of clauses 9-15, whereintransmitting the transaction data record to the FPGA comprises:transmitting the transaction data record to the FPGA device via aperipheral component interconnect express (PCIe) bus, and whereinreceiving the encrypted transaction data record from the FPGA devicecomprises: receiving the encrypted transaction data record from the FPGAdevice via the PCIe bus.

Clause 17: A computer program product, comprising at least onenon-transitory computer-readable medium including one or moreinstructions that, when executed by at least one processor, cause the atleast one processor to: receive a transaction data record comprisingtransaction data associated with a payment transaction; transmit thetransaction data record to a field programmable gate array (FPGA) deviceof a computing device; select a data record template from among aplurality of templates based on a format of the transaction data record;determine one or more data fields of the transaction data record basedon the data record template; and receive an encrypted transaction datarecord from the FPGA device, wherein data values included in the one ormore data fields of the transaction data record are encrypted using anencryption key stored in the FPGA device.

Clause 18: The computer program product of clause 17, wherein the one ormore instructions further cause the at least one processor to: store theencrypted transaction data record in a database based on receiving theencrypted transaction data record from the FPGA device.

Clause 19: The computer program product of clauses 17 or 18, wherein theone or more instructions further cause the at least one processor to:receive a request for the transaction data record; retrieve theencrypted transaction data record from the database based on the requestfor the transaction data record; transmit the encrypted transaction datarecord to the FPGA device; receive a decrypted transaction data recordfrom the FPGA device, wherein the data values included in the one ormore data fields of the encrypted transaction data record are decryptedusing an decryption key stored in the FPGA device.

Clause 20: The computer program product of any of clauses 17-19, whereinthe encryption key is a first encryption key and wherein the one or moreinstructions further cause the at least one processor to: receive dataassociated with a second encryption key; and update a configuration ofthe FPGA device based on the data associated with the second encryptionkey.

These and other features and characteristics of the present disclosure,as well as the methods of operation and functions of the relatedelements of structures and the combination of parts and economies ofmanufacture, will become more apparent upon consideration of thefollowing description and the appended claims with reference to theaccompanying drawings, all of which form a part of this specification,wherein like reference numerals designate corresponding parts in thevarious figures. It is to be expressly understood, however, that thedrawings are for the purpose of illustration and description only andare not intended as a definition of the limits of the presentdisclosure. As used in the specification and the claims, the singularform of “a,” “an,” and “the” include plural referents unless the contextclearly dictates otherwise.

BRIEF DESCRIPTION OF THE DRAWINGS

Additional advantages and details of non-limiting embodiments or aspectsare explained in greater detail below with reference to the exemplaryembodiments that are illustrated in the accompanying schematic figures,in which:

FIG. 1A is a diagram of a non-limiting embodiment of an environment inwhich systems, devices, computer program products, apparatus, and/ormethods, described herein, may be implemented according to theprinciples of the present disclosure;

FIG. 1B is a diagram of a non-limiting aspect or embodiment of a hostapplication device according to the present disclosure;

FIG. 2 is a diagram of a non-limiting aspect or embodiment of componentsof one or more devices and/or one or more systems of FIG. 1A;

FIG. 3 is a flowchart of a non-limiting aspect or embodiment of aprocess for encrypting sensitive data using a field programmable gatearray (FPGA) device; and

FIGS. 4A-4H are diagrams of a non-limiting embodiment of animplementation described herein.

DESCRIPTION

For purposes of the description hereinafter, the terms “end,” “upper,”“lower,” “right,” “left,” “vertical,” “horizontal,” “top,” “bottom,”“lateral,” “longitudinal,” and derivatives thereof shall relate to thedisclosure as it is oriented in the drawing figures. However, it is tobe understood that the disclosure may assume various alternativevariations and step sequences, except where expressly specified to thecontrary. It is also to be understood that the specific devices andprocesses illustrated in the attached drawings, and described in thefollowing specification, are simply exemplary embodiments or aspects ofthe disclosure. Hence, specific dimensions and other physicalcharacteristics related to the embodiments or aspects of the embodimentsdisclosed herein are not to be considered as limiting unless otherwiseindicated.

No aspect, component, element, structure, act, step, function,instruction, and/or the like used herein should be construed as criticalor essential unless explicitly described as such. Also, as used herein,the articles “a” and “an” are intended to include one or more items, andmay be used interchangeably with “one or more” and “at least one.”Furthermore, as used herein, the term “set” is intended to include oneor more items (e.g., related items, unrelated items, a combination ofrelated and unrelated items, and/or the like) and may be usedinterchangeably with “one or more” or “at least one.” Where only oneitem is intended, the term “one” or similar language is used. Also, asused herein, the terms “has,” “have,” “having,” or the like are intendedto be open-ended terms. Further, the phrase “based on” is intended tomean “based at least partially on” unless explicitly stated otherwise.

As used herein, the terms “communication” and “communicate” may refer tothe reception, receipt, transmission, transfer, provision, and/or thelike of information (e.g., data, signals, messages, instructions,commands, and/or the like). For one unit (e.g., a device, a system, acomponent of a device or system, combinations thereof, and/or the like)to be in communication with another unit means that the one unit is ableto directly or indirectly receive information from and/or transmitinformation to the other unit. This may refer to a direct or indirectconnection that is wired and/or wireless in nature. Additionally, twounits may be in communication with each other even though theinformation transmitted may be modified, processed, relayed, and/orrouted between the first and second unit. For example, a first unit maybe in communication with a second unit even though the first unitpassively receives information and does not actively send information tothe second unit. As another example, a first unit may be incommunication with a second unit if at least one intermediary unit(e.g., a third unit located between the first unit and the second unit)processes information received from the first unit and sends theprocessed information to the second unit. In some non-limitingembodiments, a message may refer to a network packet (e.g., a datapacket and/or the like) that includes data.

As used herein, the terms “issuer,” “issuer institution,” “issuer bank,”or “payment device issuer,” may refer to one or more entities thatprovide accounts to individuals (e.g., users, customers, and/or thelike) for conducting payment transactions such as such as credit paymenttransactions and/or debit payment transactions. For example, an issuerinstitution may provide an account identifier, such as a primary accountnumber (PAN), to a customer that uniquely identifies one or moreaccounts associated with that customer. In some non-limitingembodiments, an issuer may be associated with a bank identificationnumber (BIN) that uniquely identifies the issuer institution. As usedherein, the term “issuer system” may refer to one or more computersystems operated by or on behalf of an issuer, such as a serverexecuting one or more software applications. For example, an issuersystem may include one or more authorization servers for authorizing atransaction.

As used herein, the term “account identifier” may include one or moretypes of identifiers associated with an account (e.g., a PAN associatedwith an account, a card number associated with an account, a paymentcard number associated with an account, a token associated with anaccount, and/or the like). In some non-limiting embodiments, an issuermay provide an account identifier (e.g., a PAN, a token, and/or thelike) to a user (e.g., an account holder) that uniquely identifies oneor more accounts associated with that user. The account identifier maybe embodied on a payment device (e.g., a physical instrument used forconducting payment transactions, such as a payment card, a credit card,a debit card, a gift card, and/or the like) and/or may be electronicinformation communicated to the user that the user may use forelectronic payment transactions. In some non-limiting embodiments, theaccount identifier may be an original account identifier, where theoriginal account identifier was provided to a user at the creation ofthe account associated with the account identifier. In some non-limitingembodiments, the account identifier may be a supplemental accountidentifier, which may include an account identifier that is provided toa user after the original account identifier was provided to the user.For example, if the original account identifier is forgotten, stolen,and/or the like, a supplemental account identifier may be provided tothe user. In some non-limiting embodiments, an account identifier may bedirectly or indirectly associated with an issuer institution such thatan account identifier may be a token that maps to a PAN or other type ofaccount identifier. Account identifiers may be alphanumeric, anycombination of characters and/or symbols, and/or the like.

As used herein, the term “token” may refer to an account identifier ofan account that is used as a substitute or replacement for anotheraccount identifier, such as a PAN. Tokens may be associated with a PANor other original account identifier in one or more data structures(e.g., one or more databases) such that they may be used to conduct apayment transaction without directly using an original accountidentifier. In some non-limiting embodiments, an original accountidentifier, such as a PAN, may be associated with a plurality of tokensfor different individuals or purposes. In some non-limiting embodiments,tokens may be associated with a PAN or other account identifiers in oneor more data structures such that they can be used to conduct atransaction without directly using the PAN or the other accountidentifiers. In some examples, an account identifier, such as a PAN, maybe associated with a plurality of tokens for different uses or differentpurposes.

As used herein, the term “merchant” may refer to one or more entities(e.g., operators of retail businesses) that provide goods, services,and/or access to goods and/or services, to a user (e.g., a customer, aconsumer, and/or the like) based on a transaction such as a paymenttransaction. As used herein, the term “merchant system” may refer to oneor more computer systems operated by or on behalf of a merchant, such asa server executing one or more software applications. As used herein,the term “product” may refer to one or more goods and/or servicesoffered by a merchant.

As used herein, the term “point-of-sale (POS) device” may refer to oneor more electronic devices, which may be used by a merchant to conduct atransaction (e.g., a payment transaction) and/or process a transaction.Additionally or alternatively, a POS device may include peripheraldevices, card readers, scanning devices (e.g., code scanners and/or thelike), Bluetooth® communication receivers, near-field communication(NFC) receivers, radio frequency identification (RFID) receivers, and/orother contactless transceivers or receivers, contact-based receivers,payment terminals, and/or the like.

As used herein, the term “point-of-sale (POS) system” may refer to oneor more client devices and/or peripheral devices used by a merchant toconduct a transaction. For example, a POS system may include one or morePOS devices and/or other like devices that may be used to conduct apayment transaction. In some non-limiting embodiments, a POS system(e.g., a merchant POS system) may include one or more server computersprogrammed or configured to process online payment transactions throughwebpages, mobile applications, and/or the like.

As used herein, the term “transaction service provider” may refer to anentity that receives transaction authorization requests from merchantsor other entities and provides guarantees of payment, in some casesthrough an agreement between the transaction service provider and anissuer institution. In some non-limiting embodiments, a transactionservice provider may include a credit card company, a debit cardcompany, a payment network such as Visa®, MasterCard®, AmericanExpress®,or any other entity that processes transaction. As used herein, the term“transaction service provider system” may refer to one or more computersystems operated by or on behalf of a transaction service provider, suchas a transaction service provider system executing one or more softwareapplications. A transaction service provider system may include one ormore processors and, in some non-limiting embodiments, may be operatedby or on behalf of a transaction service provider.

As used herein, the term “payment device” may refer to a payment card(e.g., a credit or debit card), a gift card, a smart card (e.g., a chipcard, an integrated circuit card, and/or the like), smart media, apayroll card, a healthcare card, a wristband, a machine-readable mediumcontaining account information, a keychain device or fob, an RFIDtransponder, a retailer discount or loyalty card, and/or the like. Thepayment device may include a volatile or a non-volatile memory to storeinformation (e.g., an account identifier, a name of the account holder,and/or the like).

As used herein, the term “computing device” may refer to one or moreelectronic devices (e.g., processors, storage devices, and/or similarcomputer components) that are configured to directly or indirectlycommunicate with or over one or more networks. In some non-limitingembodiments, a computing device may include a mobile device. A mobiledevice may include a smartphone, a portable computer, a wearable device(e.g., watches, glasses, lenses, clothing, and/or the like), a personaldigital assistant (PDA), and/or other like devices. In some non-limitingembodiments, a computing device may include a server, a desktopcomputer, and/or the like.

As used herein, the terms “client” and “client device” may refer to oneor more computing devices that access a service made available by aserver. In some non-limiting embodiments, a “client device” may refer toone or more devices that facilitate payment transactions, such as one ormore POS devices used by a merchant. In some non-limiting embodiments, aclient device may include a computing device configured to communicatewith one or more networks and/or facilitate payment transactions suchas, but not limited to, one or more desktop computers, one or moremobile devices, and/or other like devices. Moreover, a “client” may alsorefer to an entity, such as a merchant, that owns, utilizes, and/oroperates a client device for facilitating payment transactions with atransaction service provider.

As used herein, the term “server” may refer to one or more computingdevices that communicate with client devices and/or other computingdevices over a communication network and/or, in some examples,facilitate communication among other computing devices and/or clientdevices.

As used herein, the term “system” may refer to one or more combinationsof computing devices. In addition, reference to “a server” or “aprocessor,” as used herein, may refer to a previously-recited serverand/or processor that is recited as performing a previous step orfunction, a different server and/or processor, and/or a combination ofservers and/or processors. For example, as used in the specification andthe claims, a first server and/or a first processor that is recited asperforming a first step or function may refer to the same or differentserver and/or a processor recited as performing a second step orfunction.

In some non-limiting embodiments, systems, computer-implemented methods,and computer program products for encrypting sensitive data using afield programmable gate array (FPGA) device are disclosed. For example,in one non-limiting embodiment, a system including at least one hostapplication processor and at least one FPGA device coupled to the atleast one host application processor via a communication bus, the atleast one host application processor is programmed or configured toreceive a transaction data record comprising transaction data associatedwith a payment transaction, transmit the transaction data record to theat least one FPGA device via the communication bus, and receive anencrypted transaction data record from the at least one FPGA device viathe communication bus, wherein one or more data fields of thetransaction data record are encrypted to generate the encryptedtransaction data record.

In this way, non-limiting embodiments of the present disclosure mayallow for encrypting sensitive data using an encryption key and/ordecrypting sensitive data using a decryption key that does not involvetransmitting the encryption key and/or decryption key over acommunication network. In addition, the system may be able to parsetransaction data included in a transaction data record in a parallelprocess using the at least one FPGA device. In this way, the system mayreduce an amount of time associated with parsing the transaction data ascompared to parsing the transaction data in a serial process.

Referring now to FIG. 1A, FIG. 1A is a diagram of a non-limitingembodiment of an environment 100 in which devices, systems, methods,and/or products described herein may be implemented. As shown in FIG.1A, environment 100 includes host application device 102, user device104, merchant system 106, transaction service provider system 108, andissuer system 110. Host application device 102, user device 104,merchant system 106, transaction service provider system 108, and issuersystem 110 may interconnect (e.g., establish a connection to communicateand/or the like) via wired connections, wireless connections, or acombination of wired and wireless connections.

Host application device 102 may include a device capable of being incommunication with user device 104, merchant system 106, transactionservice provider system 108, and/or issuer system 110 via communicationnetwork 112. For example, host application device 102 may include acomputing device, such as one or more servers and/or other like devices.In some non-limiting embodiments, host application device 102 may beassociated with a transaction service provider (e.g., a transactionservice provider associated with transaction service provider system108). For example, host application device 102 may be a component oftransaction service provider system 108 associated with the transactionservice provider.

User device 104 may include a device capable of being in communicationwith host application device 102, merchant system 106, transactionservice provider system 108, and/or issuer system 110 via communicationnetwork 112. For example, user device 104 may include a mobile device,such as a smartphone, a wearable device, a personal digital assistant(PDA), and/or the like. In some non-limiting embodiments, user device104 may communicate via a short-range wireless communication connection(e.g., a wireless communication connection for communicating informationin a range between 2 to 3 centimeters to 5 to 6 meters, such as anear-field communication (NFC) communication connection, a radiofrequency identification (RFID) communication connection, a Bluetooth®communication connection, and/or the like). In some non-limitingembodiments, user device 104 may include a POS device associated with amerchant, as described herein.

Merchant system 106 may include one or more devices capable of being incommunication with host application device 102, user device 104,transaction service provider system 108, and/or issuer system 110 viacommunication network 112. For example, merchant system 106 may includeone or more computing devices, such as one or more mobile devices, oneor more smartphones, one or more wearable devices, one or more PDAs, oneor more servers, and/or the like. In some non-limiting embodiments,merchant system 106 may communicate via a short-range wirelesscommunication connection. In some non-limiting embodiments, merchantsystem 106 may be associated with a merchant, as described herein.

Transaction service provider system 108 may include one or more devicescapable of being in communication with host application device 102, userdevice 104, merchant system 106, and/or issuer system 110 viacommunication network 112. For example, transaction service providersystem 108 may include a server (e.g., a transaction processing server),a group of servers (e.g., a group of transaction processing servers),and/or other like devices. In some non-limiting embodiments, transactionservice provider system 108 may be associated with a transaction serviceprovider, as described herein.

Issuer system 110 may include one or more devices capable of being incommunication with host application device 102, user device 104,merchant system 106, and/or transaction service provider system 108 viacommunication network 112. For example, issuer system 110 may includeone or more computing devices, such as one or more servers and/or otherlike devices. In some non-limiting embodiments, issuer system 110 may beassociated with an issuer institution that issued a payment accountand/or instrument (e.g., a credit account, a debit account, a creditcard, a debit card, and/or the like) to a user.

Communication network 112 may include one or more wired and/or wirelessnetworks. For example, communication network 112 may include a cellularnetwork (e.g., a long-term evolution (LTE) network, a third generation(3G) network, a fourth generation (4G) network, a code division multipleaccess (CDMA) network, and/or the like), a public land mobile network(PLMN), a local area network (LAN), a wide area network (WAN), ametropolitan area network (MAN), a telephone network (e.g., the publicswitched telephone network (PSTN)), a private network, an ad hocnetwork, an intranet, the Internet, a fiber optic-based network, a cloudcomputing network, and/or the like, and/or a combination of some or allof these or other types of networks.

The number and arrangement of systems and/or devices shown in FIG. 1Aare provided as an example. There may be additional systems and/ordevices, fewer systems and/or devices, different systems and/or devices,or differently arranged systems and/or devices than those shown in FIG.1A. Furthermore, two or more systems and/or devices shown in FIG. 1A maybe implemented within a single system or a single device, or a singlesystem or a single device shown in FIG. 1A may be implemented asmultiple, distributed systems or devices. Additionally or alternatively,a set of systems or a set of devices (e.g., one or more systems, one ormore devices) of environment 100 may perform one or more functionsdescribed as being performed by another set of systems or another set ofdevices of environment 100.

Referring now to FIG. 1B, FIG. 1B is a diagram of a non-limitingembodiment of host application device 102 that includes host applicationprocessor 114, communication bus 116, and FPGA device 118. In somenon-limiting embodiments, host application processor 114 may include aprocessor (e.g., a central processing unit (CPU), a graphics processingunit (GPU), an accelerated processing unit (APU), and/or the like), amicroprocessor, a digital signal processor (DSP), and/or the like thatcan be programmed to perform a function. In some non-limitingembodiments, communication bus 116 may include a local computer bus forconnecting host application processor 114 and FPGA device 118 in hostapplication device 102. In some non-limiting embodiments, communicationbus 116 may include a local computer bus according to peripheralcomponent interconnect (PCI) standard or peripheral componentinterconnect express (PCIe) standard. In some non-limiting embodiments,FPGA device 118 may include an integrated circuit (IC) that is designedto have a configuration (e.g., a configuration of programmable logicblocks based on hardware elements) that may be changed for a suitabletask after the IC is manufactured. For example, FPGA device 118 mayinclude a field programmable gate array (FPGA). In some non-limitingembodiments, the configuration of FPGA device 118 may be specified usinga hardware description language (HDL) and/or circuit diagrams.

In some non-limiting embodiments, FPGA device 118 may be a component ofa computing device that is separate from host application device 102.For example, host application device 102 may include host applicationprocessor 114 and a second computing device (e.g., a server) may includeFPGA device 118. In such an example, host application processor 114 maycommunicate with FPGA device 118 via a communication network (e.g., acommunication network that is the same or similar to communicationnetwork 112, such as an Ethernet communication network). Additionally,host application processor 114 may communicate with FPGA device 118based on one or more application programming interface (API) calls(e.g., RESTful API calls).

Referring now to FIG. 2, FIG. 2 is a diagram of example components ofdevice 200. Device 200 may correspond to host application device 102,user device 104, merchant system 106 (e.g., one or more devices ofmerchant system 106), transaction service provider system 108 (e.g., oneor more devices of transaction service provider system 108), and/orissuer system 110 (e.g., one or more devices of issuer system 110). Insome non-limiting aspects or embodiments, host application device 102,user device 104, merchant system 106, transaction service providersystem 108, and/or issuer system 110 may include at least one device 200and/or at least one component of device 200. As shown in FIG. 2, device200 may include bus 202, processor 204, memory 206, storage component208, input component 210, output component 212, and communicationinterface 214.

Bus 202 may include a component that permits communication among thecomponents of device 200. In some non-limiting aspects or embodiments,processor 204 (e.g., host application processor 114) may be implementedin hardware, software, or a combination of hardware and software. Forexample, processor 204 may include a processor (e.g., a centralprocessing unit (CPU), a graphics processing unit (GPU), an acceleratedprocessing unit (APU), and/or the like), a microprocessor, a digitalsignal processor (DSP), and/or the like that can be programmed toperform a function. Memory 206 may include random access memory (RAM),read-only memory (ROM), and/or another type of dynamic or static storagedevice (e.g., flash memory, magnetic memory, optical memory, and/or thelike) that stores information and/or instructions for use by processor204.

Storage component 208 may store information and/or software related tothe operation and use of device 200. For example, storage component 208may include a hard disk (e.g., a magnetic disk, an optical disk, amagneto-optic disk, a solid state disk, and/or the like), a compact disc(CD), a digital versatile disc (DVD), a floppy disk, a cartridge, amagnetic tape, and/or another type of computer-readable medium, alongwith a corresponding drive.

Input component 210 may include a component that permits device 200 toreceive information, such as via user input (e.g., a touchscreendisplay, a keyboard, a keypad, a mouse, a button, a switch, amicrophone, a camera, and/or the like). Additionally or alternatively,input component 210 may include a sensor for sensing information (e.g.,a global positioning system (GPS) component, an accelerometer, agyroscope, an actuator, and/or the like). Output component 212 mayinclude a component that provides output information from device 200(e.g., a display, a speaker, one or more light-emitting diodes (LEDs),and/or the like).

Communication interface 214 may include a transceiver-like component(e.g., a transceiver, a separate receiver and transmitter, and/or thelike) that enables device 200 to communicate with other devices, such asvia a wired connection, a wireless connection, or a combination of wiredand wireless connections. Communication interface 214 may permit device200 to receive information from another device and/or provideinformation to another device. For example, communication interface 214may include an Ethernet interface, an optical interface, a coaxialinterface, an infrared interface, a radio frequency (RF) interface, auniversal serial bus (USB) interface, a Wi-Fi® interface, a cellularnetwork interface, and/or the like.

Device 200 may perform one or more processes described herein. Device200 may perform these processes based on processor 204 executingsoftware instructions stored by a computer-readable medium, such asmemory 206 and/or storage component 208. A computer-readable medium(e.g., a non-transitory computer-readable medium) is defined herein as anon-transitory memory device. A non-transitory memory device includesmemory space located inside of a single physical storage device ormemory space spread across multiple physical storage devices.

Software instructions may be read into memory 206 and/or storagecomponent 208 from another computer-readable medium or from anotherdevice via communication interface 214. When executed, softwareinstructions stored in memory 206 and/or storage component 208 may causeprocessor 204 to perform one or more processes described herein.Additionally or alternatively, hardwired circuitry may be used in placeof or in combination with software instructions to perform one or moreprocesses described herein. Thus, embodiments or aspects describedherein are not limited to any specific combination of hardware circuitryand software.

Memory 206 and/or storage component 208 may include data storage or oneor more data structures (e.g., a database and/or the like). Device 200may be capable of retrieving information from, storing information in,or searching information stored in the data storage or one or more datastructures in memory 206 and/or storage component 208. For example, theinformation may include encryption data, input data, output data,transaction data, account data, or any combination thereof.

The number and arrangement of components shown in FIG. 2 are provided asan example. In some non-limiting aspects or embodiments, device 200 mayinclude additional components, fewer components, different components,or differently arranged components than those shown in FIG. 2.Additionally or alternatively, a set of components (e.g., one or morecomponents) of device 200 may perform one or more functions described asbeing performed by another set of components of device 200.

Referring now to FIG. 3, FIG. 3 is a flowchart of a non-limitingembodiment of a process 300 for encrypting sensitive data using a fieldprogrammable gate array (FPGA) device. In some non-limiting aspects orembodiments, one or more of the functions described with respect toprocess 300 may be performed (e.g., completely, partially, and/or thelike) by host application device 102. In some non-limiting embodiments,one or more of the steps of process 300 may be performed (e.g.,completely, partially, and/or the like) by another device or a group ofdevices separate from and/or including user device 104, merchant system106, transaction service provider system 108, and/or issuer system 110.

As shown in FIG. 3, at step 302, process 300 may include receiving atransaction data record. For example, host application device 102 (e.g.,host application processor 114 of host application device 102) mayreceive one or more transaction data records from user device 104,merchant system 106, transaction service provider system 108, and/orissuer system 110. In some non-limiting embodiments, the transactiondata record may include a plurality of fields that contain values. Forexample, the transaction data record may include one or more data fieldsthat are associated with one or more values of transaction data. Thetransaction data may include transaction data associated with a paymenttransaction involving an account of a consumer, such as a userassociated with user device 104. In the example above, the transactiondata record may include one or more delimiter fields that are used toseparate data fields of the transaction data record.

In some non-limiting embodiments, one or more data fields of atransaction data record may include data values for the transaction dataassociated with a signal payment transaction involving an account. Forexample, a first data field of the one or more data fields may include adata value for an account identifier, such as an account number (e.g., aPAN). In such an example, a second data field of the one or more datafields may include a data value for an identifier of a consumer who ownsthe account (e.g., an accountholder identifier, a cardholderidentification number, a name of a consumer who owns the account, and/orthe like). Additionally, a third data field of the one or more datafields may include a data value for an account balance of the account.In some non-limiting embodiments, a data value of a data field mayinclude sensitive data (e.g., confidential data) that is not allowed tobe stored in a readily identifiable fashion (e.g., an unencryptedfashion) based on laws and/or regulations associated with the storage oftransaction data.

In some non-limiting embodiments, host application device 102 (e.g.,host application processor 114 of host application device 102) mayreceive a plurality of transaction data records in a data file. Forexample, host application device 102 may receive a data file for anaccount that includes the plurality of transaction data records, whereeach transaction data record includes data values for transaction dataassociated with a signal payment transaction involving the account. Insome non-limiting embodiments, a transaction data record may have aformat (e.g., a specific data format). For example, the transaction datarecord may have a format that includes a delimiter field that separateseach data field (e.g., each data field that includes a data value) inthe transaction data record. In some non-limiting embodiments, adelimiter field may have a value that includes a special character. Forexample, the delimiter field may have a value of a TAB character or aspecial character associated with a carriage return and/or a line feed.

In some non-limiting embodiments, host application device 102 may storeone or more data record templates for each transaction data record of aplurality of transaction data records based on a format of each of thetransaction data records. A data record template may include adefinition of a structure of the transaction data record (e.g., therelationship between the location of a delimiter value and the locationof a data value in the transaction data record) based on the format ofthe transaction data record. In some non-limiting embodiments, hostapplication device 102 may store the one or more data record templatesprior to receiving a transaction data record.

In some non-limiting embodiments, host application device 102 (e.g.,host application processor 114 of host application device 102) may storeone or more transaction data records based on receiving the transactiondata record. For example, host application device 102 may store the oneor more transaction data records in random access memory (RAM) of hostapplication device 102 based on a driver associated with communicationbus 116 so that the one or more transaction data records may beretrieved by FPGA device 118.

As shown in FIG. 3, at step 304, process 300 may include transmittingthe transaction data record to a field programmable gate array (FPGA)device. For example, host application processor 114 may transmit one ormore transaction data records to FPGA device 118 via communication bus116. In some non-limiting embodiments, FPGA device 118 may receive theone or more transaction data records via communication bus 116 based onhost application processor 114 transmitting the one or more transactiondata records.

In some non-limiting embodiments, FPGA device 118 may parse one or moretransaction data records. For example, FPGA device 118 may retrieve oneor more transaction data records and parse transaction data included inthe one or more transaction data records. In some non-limitingembodiments, FPGA device 118 may parse a plurality of transaction datarecords by processing the plurality of transaction data records in aparallel process. For example, FPGA device 118 may parse the pluralityof transaction data records by performing a plurality of operations on aplurality of data fields of a set of transaction data records (e.g.,corresponding data fields of a set of transaction data records) of theplurality of transaction data records simultaneously. In this way, FPGAdevice 118 of host application device 102 may more quickly process aplurality of transaction data records as compared to a centralprocessing unit (CPU) that processes the plurality of transaction datarecords in a serial process. In some non-limiting embodiments, FPGAdevice 118 may perform a plurality of operations on the plurality ofdata fields of the set of transaction data records during a single clockcycle of a clock associated with FPGA device 118.

In some non-limiting embodiments, FPGA device 118 may store transactiondata in RAM device (e.g., based on a driver associated withcommunication bus 116). For example, FPGA device 118 may store thetransaction data in the RAM based on parsing a plurality of transactiondata records so that the transaction data may be retrieved by hostapplication processor 114. In some non-limiting embodiments, hostapplication processor 114 may receive the transaction data that wasincluded in the plurality of transaction data records and store thetransaction data in a data structure (e.g., a database). For example,host application processor 114 may retrieve the transaction data fromthe RAM and store the transaction data in the data structure based onretrieving the transaction data.

As shown in FIG. 3, at step 306, process 300 may include receiving anencrypted transaction data record from the FPGA device. For example,host application processor 114 may receive an encrypted transaction datarecord from FPGA device 118. In some non-limiting embodiments, one ormore data fields (e.g., one or more data values of one or more datafields) of the transaction data record are encrypted by FPGA device 118to generate the encrypted transaction data record. For example, FPGAdevice 118 may retrieve an encryption key stored in read-only memory(ROM) of FPGA device 118, and FPGA device 118 may encrypt the one ormore data fields of the transaction data record using the encryptionkey. In some non-limiting embodiments, host application processor 114may store the encrypted transaction data record in a data structure. Forexample, host application processor 114 may store the encryptedtransaction data record in the data structure based on receiving theencrypted transaction data record from FPGA device 118. In somenon-limiting embodiments, host application processor 114 may store theencrypted transaction data record with a data record identifier of thetransaction data record that was used to generate the encryptedtransaction data record.

In some non-limiting embodiments, host application processor 114 and/orFPGA device 118 may determine one or more data fields of a transactiondata record that are to be encrypted. In one example, host applicationprocessor 114 and/or FPGA device 118 may determine the one or more datafields of the transaction data record that are to be encrypted based ona data record template. In some non-limiting embodiments, hostapplication processor 114 and/or FPGA device 118 may determine one ormore data fields of an encrypted transaction data record that are to bedecrypted. For example, host application processor 114 and/or FPGAdevice 118 may determine the one or more data fields of the encryptedtransaction data record that are to be encrypted based on a data recordtemplate that is associated with the transaction data record that wasused to generate the encrypted transaction data record.

In some non-limiting embodiments, FPGA device 118 may forego encryptingone or more fields of a transaction data record. For example, FPGAdevice 118 may forego encrypting one or more fields of the transactiondata record where the one or more fields of the transaction data recordinclude one or more data fields reserved for data values that are notsensitive (e.g., not confidential). In some non-limiting embodiments,FPGA device 118 may forego encrypting one or more fields of thetransaction data record based on determining that the one or more datafields are reserved for data values that are not sensitive. In somenon-limiting embodiments, host application processor 114 and/or FPGAdevice 118 may determine that one or more data fields of a transactiondata record are reserved for data values that are not sensitive based ona data record template associated with the transaction data record.

In some non-limiting embodiments, host application processor 114 mayencrypt one or more data fields of a transaction data record using FPGAdevice 118. For example, host application processor 114 may transmit acommand message (e.g., a command script) that causes FPGA device 118 toencrypt the one or more data fields of the transaction data record togenerate an encrypted transaction data record. FPGA device 118 maytransmit the encrypted transaction data record to host applicationprocessor 114 based on encrypting the one or more data fields.

In some non-limiting embodiments, host application processor 114 maydecrypt one or more data fields of an encrypted transaction data recordusing FPGA device 118. For example, host application processor 114 maytransmit a command message (e.g., a command script) that causes FPGAdevice 118 to decrypt the one or more data fields of the encryptedtransaction data record to generate a decrypted transaction data record.FPGA device 118 may transmit the decrypted transaction data record tohost application processor 114 based on decrypting the one or more datafields.

In some non-limiting embodiments, host application processor 114 mayreceive a transaction data record and host application processor 114 mayselect a data record template from among a plurality of data recordtemplates based on a format of the transaction data record. In somenon-limiting embodiments, host application processor 114 may determinethe one or more fields of the transaction data record based on the datarecord template. In some non-limiting embodiments, FPGA device 118 mayencrypt data values included in the one or more fields of thetransaction data record to generate an encrypted transaction datarecord.

In some non-limiting embodiments, host application processor 114 mayreceive a decrypted transaction data record from FPGA device 118. Forexample, host application processor 114 may receive a request (e.g., arequest from user device 104, merchant 106, transaction service providersystem 108, and/or issuer system 110) for a transaction data record andhost application processor 114 may retrieve the encrypted transactiondata record from a data structure. In some non-limiting embodiments,host application processor 114 may transmit the encrypted transactiondata record to FPGA device 118 and FPGA device 118 may decrypt one ormore data fields of the encrypted transaction data record using adecryption key to generate a decrypted transaction data record. In somenon-limiting embodiments, the decryption key may be stored in FPGAdevice 118. In some non-limiting embodiments, FPGA device 118 maytransmit the decrypted transaction data record to host applicationprocessor 114 based on decrypting one or more data fields of theencrypted transaction data record. In some non-limiting embodiments,host application processor 114 may receive the decrypted transactiondata record from FPGA device 118 based on FPGA device 118 transmittingthe decrypted transaction data record.

In some non-limiting embodiments, host application processor 114 mayretrieve an encrypted transaction data record from a data structurebased on receiving a request for a transaction data record (e.g., arequest for a transaction data record that was used to generate theencrypted transaction data record). For example, host applicationprocessor 114 may determine a data record identifier of the transactiondata record that was included in the request for the transaction datarecord and host application processor 114 may retrieve the encryptedtransaction data record from the data structure based on the data recordidentifier.

In some non-limiting embodiments, host application processor 114 mayupdate a configuration of FPGA device 118. For example, host applicationprocessor 114 may receive data associated with an encryption key and/ordata associated with an encryption algorithm. Host application processor114 may update or cause FPGA device 118 to update the configuration ofFPGA device 118 based on the data associated with the encryption keyand/or data associated with the encryption algorithm. In anotherexample, host application processor 114 may receive data associated witha decryption key and/or data associated with a decryption algorithm.Host application processor 114 may update or cause FPGA device 118 toupdate the configuration of FPGA device 118 based on the data associatedwith the decryption key and/or data associated with the decryptionalgorithm.

Referring now to FIGS. 4A-4H, FIGS. 4A-4H are flowcharts of anon-limiting embodiment or aspect of an implementation 400 relating to aprocess for encrypting sensitive data using an FPGA device. Asillustrated in FIGS. 4A-4H, implementation 400 may include hostapplication device 402 and/or transaction service provider system 408.In some non-limiting embodiments, host application device 402 may be thesame as, or similar to, host application device 102. In somenon-limiting embodiments, transaction service provider system 408 may bethe same as, or similar to, transaction service provider system 108. Insome non-limiting embodiments, host application device 402 may includehost application processor 414, PCIe bus 416, and/or FPGA device 418. Insome non-limiting embodiments, host application processor 414 may be thesame as, or similar to, host application processor 114. In somenon-limiting embodiments, PCIe bus 416 may be the same as, or similarto, communication bus 116. In some non-limiting embodiments, FPGA device418 may be the same as, or similar to, FPGA device 118.

As shown by reference number 420 in FIG. 4A, host application device 402may receive a transaction data record from transaction service providersystem 408. For example, host application device 402 (e.g., hostapplication processor 414 of host application device 402) may receivethe transaction data record from the transaction service provider system408. In some non-limiting embodiments, the transaction data record mayinclude transaction data associated with a payment transaction. Forexample, the data associated with the payment transaction may includeformat data associated with a format of the transaction data record,account holder data associated with an identifier for an account holderof a payment account, account identification data associated with anidentifier for the payment account, and/or the like. In somenon-limiting embodiments, data included in the data associated with thepayment transaction may be included in one or more data fields of thetransaction data record. For example, a first field of the transactiondata record may include the format data associated with the format ofthe transaction data record, a second field of the transaction datarecord may include the account holder data associated with theidentifier for an account holder of a payment account, a third field ofthe transaction data record may include the account identification dataassociated with the identifier for the payment account, and/or the like.

As shown by reference number 425 in FIG. 4B, host application processor414 may transmit the transaction data record to FPGA device 418. Forexample, host application processor 414 may transmit the transactiondata record to FPGA device 418 via a communication bus. In such anexample, host application processor 414 may transmit the transactiondata record to FPGA device 418 via PCIe bus 416. In some non-limitingembodiments, host application processor 414 may transmit the transactiondata record to PCIe bus 416 and PCIe bus 416 may transmit thetransaction data record to FPGA device 418 based on receiving thetransaction data record. In some non-limiting embodiments, hostapplication processor 414 may transmit the transaction data record toFPGA device 418 based on host application processor 414 receiving thetransaction data record from transaction service provider system 408.

As shown by reference number 430 in FIG. 4C, FPGA device 418 may selecta data record template from among a plurality of data record templates.For example, FPGA device 418 may select a data record template fromamong a plurality of data record templates based on a format of thetransaction data record. In some non-limiting embodiments, FPGA device418 may select the data record template from among the plurality of datarecord templates based on the format data associated with the format ofthe transaction data record included in the transaction data record. Forexample, FPGA device 418 may select the data record template from amongthe plurality of data record templates based on FPGA device 418comparing the format data associated with the format of the transactiondata record to one or more data record templates of the plurality ofdata record templates. In such an example, the one or more data recordtemplates of the plurality of data record templates may each include,respectively, format data associated with a format for each data recordtemplate. In some non-limiting embodiments, the format data associatedwith the format for each data record template may specify one or moredata fields to be encrypted. For example, the format data associatedwith the format for each data record template may specify one or moredata fields to be encrypted by FPGA device 418. In one such example, theformat data associated with the format for a first data record templatemay specify that a first field is original (e.g., not encrypted), asecond field is encrypted, and a third field is encrypted. In anotherexample, the format data associated with the format for a second datarecord template may specify that a first field is original, a secondfield is original, and a third field is encrypted.

As shown by reference number 435 in FIG. 4D, FPGA device 418 maydetermine one or more data fields of the transaction data record to beencrypted based on the data record template that was selected. Forexample, FPGA device 418 may determine that a third field of thetransaction data record should be encrypted based on the data recordtemplate that was selected. In such an example, FPGA device 418 maydetermine that the format data associated with the format of the datarecord template that was selected specifies that one or more data fieldsof the transaction data record should be encrypted.

As shown by reference number 440 in FIG. 4E, FPGA device 418 may encryptone or more data fields of the transaction data record to generate anencrypted transaction data record. For example, FPGA device 418 mayencrypt one or more data fields of the transaction data record togenerate an encrypted transaction data record based on FPGA device 418determining the one or more data fields of the transaction data recordto be encrypted. In some non-limiting embodiments, FPGA device 418 mayencrypt data values (e.g., the format data associated with the format ofthe transaction data record, the account holder data associated with theidentifier of the account holder of the payment account, the accountidentification data associated with the identifier for the paymentaccount, and/or the like) included in the one or more data fields of thedata transaction data record. For example, FPGA device 418 may encryptdata values included in the one or more data fields of the datatransaction data record based on (e.g., using) an encryption key (e.g.,a symmetric encryption key, an asymmetric encryption key, a publicencryption key, a private encryption key, and/or the like). In somenon-limiting embodiments, the encryption key may be stored in FPGAdevice 418. For example, the encryption key may be stored in read-onlymemory (ROM) of FPGA device 418.

As shown by reference number 445 in FIG. 4F, FPGA device 418 maytransmit the encrypted transaction data record to host applicationprocessor 414 via PCIe bus 416. For example, FPGA device 418 maytransmit the encrypted transaction data record to host applicationprocessor 414 via PCIe bus 416 based on FPGA device 418 generating theencrypted transaction data record.

As shown by reference number 450 in FIG. 4G, transaction serviceprovider system 408 may receive the encrypted transaction data record.For example, transaction service provider system 408 may receive theencrypted transaction data record from host application device 402. Insuch an example, host application device 402 (e.g., host applicationprocessor 414 of host application device 402) may transmit the encryptedtransaction data record to transaction service provider system 408.

As shown by reference number 455 in FIG. 4H, transaction serviceprovider system 408 may store the encrypted transaction data record in adatabase. For example, transaction service provider system 408 may storethe encrypted transaction data record in a database based on transactionservice provider system 408 receiving the encrypted transaction datarecord. In some non-limiting embodiments, transaction service providersystem 408 may store the encrypted transaction data record in a databasewith a data record identifier.

Although the above systems, methods, and computer program products havebeen described in detail for the purpose of illustration based on whatis currently considered to be the most practical and preferredembodiments or aspects, it is to be understood that such detail issolely for that purpose and that the present disclosure is not limitedto the described embodiments or aspects but, on the contrary, isintended to cover modifications and equivalent arrangements that arewithin the spirit and scope of the appended claims. For example, it isto be understood that the present disclosure contemplates that, to theextent possible, at least one feature of any embodiment or aspect can becombined with at least one feature of any other embodiment or aspect.

What is claimed is:
 1. A system, comprising: at least one hostapplication processor; at least one field programmable gate array (FPGA)device coupled to the at least one host application processor via acommunication bus; wherein the at least one host application processoris programmed or configured to: receive a transaction data recordcomprising transaction data associated with a payment transaction;transmit the transaction data record to the at least one FPGA device viathe communication bus; and wherein the at least one FPGA device isprogrammed or configured to: encrypt the one or more data fields of thetransaction data record to generate the encrypted transaction datarecord, wherein, when encrypting the one or more data fields of thetransaction data record to generate the encrypted transaction datarecord, the at least one FPGA device is programmed or configured to:select a data record template from among a plurality of data recordtemplates based on a format of the transaction data record; determinethe one or more data fields of the transaction data record based on thedata record template; and encrypt data values included in the one ormore data fields of the transaction data record using an encryption keystored in the at least one FPGA device; wherein the at least one hostapplication processor is further programmed or configured to: receivethe encrypted transaction data record from the at least one FPGA devicevia the communication bus, wherein one or more data fields of thetransaction data record are encrypted to generate the encryptedtransaction data record.
 2. The system of claim 1, wherein the at leastone FPGA device, when encrypting the one or more data fields of thetransaction data record to generate the encrypted transaction datarecord, is configured to: encrypt the one or more data fields of thetransaction data record using an encryption key stored in read-onlymemory (ROM) of the at least one FPGA device.
 3. The system of claim 1,wherein the at least one host application processor is furtherprogrammed or configured to: store the encrypted transaction data recordin a database based on receiving the encrypted transaction data recordfrom the at least one FPGA device.
 4. The system of claim 3, wherein theat least one host application processor is further programmed orconfigured to: receive a request for the transaction data record;retrieve the encrypted transaction data record from the database;transmit the encrypted transaction data record to the at least one FPGAdevice; and receive a decrypted transaction data record from the atleast one FPGA device, wherein one or more data fields of the encryptedtransaction data record are decrypted to generate the decryptedtransaction data record.
 5. The system of claim 4, wherein the at leastone host application processor, when retrieving the encryptedtransaction data record from the database, is programmed or configuredto: determine a data record identifier of the transaction data recordfrom the request; and retrieve the encrypted transaction data recordfrom the database based on the data record identifier.
 6. The system ofclaim 1, wherein the at least one host application processor is furtherprogrammed or configured to: receive data associated with an encryptionkey; and update a configuration of the at least one FPGA device based onthe data associated with the encryption key.
 7. The system of claim 1,wherein the at least one FPGA device, when transmitting the transactiondata record to the at least one FPGA device, is programmed or configuredto: transmit the transaction data record to the at least one FPGA devicevia a peripheral component interconnect express (PCIe) bus, and whereinthe at least one FPGA device, when receiving the encrypted transactiondata record from the at least one FPGA device, is programmed orconfigured to: receive the encrypted transaction data record from theFPGA device via a PCIe bus.
 8. A computer-implemented method,comprising: receiving, with at least one host application processor, atransaction data record comprising transaction data associated with apayment transaction; transmitting, with at least one host applicationprocessor of the computing device, the transaction data record to afield programmable gate array (FPGA) device of the computing device;encrypting, with at least one FPGA device, the one or more data fieldsof the transaction data record to generate the encrypted transactiondata record, wherein encrypting comprises: selecting a data recordtemplate from among a plurality of data record templates based on aformat of the transaction data record; determining the one or more datafields of the transaction data record based on the data record template;and encrypting data values included in the one or more data fields ofthe transaction data record using an encryption key stored in the atleast one FPGA device; and receiving, with at least one host applicationprocessor, the encrypted transaction data record from the FPGA device ofthe computing device, wherein one or more data fields of the transactiondata record are encrypted using an encryption key stored in the FPGAdevice to generate the encrypted transaction data record.
 9. Thecomputer-implemented method of 8, wherein the one or more data fieldsare one or more first data fields of the transaction data record andwherein encrypting the one or more first data fields of the transactiondata record comprises: foregoing encrypting one or more second datafields of the transaction data record, wherein the one or more secondfields of the transaction data record comprise one or more data fieldsreserved for non-confidential data.
 10. The computer-implemented methodof claim 8, further comprising storing the encrypted transaction datarecord in a database based on receiving the encrypted transaction datarecord from the FPGA device.
 11. The computer-implemented method ofclaim 10, further comprising: receiving a request for the transactiondata record; retrieving the encrypted transaction data record from thedatabase; transmitting the encrypted transaction data record to the FPGAdevice; decrypting the one or more data fields of the encryptedtransaction data record using a decryption key stored in the FPGA deviceto generate a decrypted transaction data record; and receiving thedecrypted transaction data record from the FPGA device.
 12. Thecomputer-implemented method of claim 11, wherein retrieving theencrypted transaction data record from the database comprises:determining a data record identifier from the request for thetransaction data record; and retrieving the encrypted transaction datarecord from the database based on the data record identifier.
 13. Thecomputer-implemented method of claim 8, further comprising: receivingdata associated with an encryption key; and updating a configuration ofthe FPGA device based on the data associated with the encryption key.14. The computer-implemented method of claim 8, wherein transmitting thetransaction data record to the FPGA comprises: transmitting thetransaction data record to the FPGA device via a peripheral componentinterconnect express (PCIe) bus, and wherein receiving the encryptedtransaction data record from the FPGA device comprises: receiving theencrypted transaction data record from the FPGA device via the PCIe bus.15. A computer program product, comprising at least one non-transitorycomputer-readable medium including one or more instructions that, whenexecuted by at least one host application processor, cause the at leastone host application processor to: receive a transaction data recordcomprising transaction data associated with a payment transaction;transmit the transaction data record to a field programmable gate array(FPGA) device of a computing device; wherein the one or moreinstructions, when executed by the FPGA device, cause the FPGA device toencrypt one or more data fields of the transaction data record togenerate an encrypted transaction data record, wherein, the one or moreinstructions that cause the FPGA device to encrypt the one or more datafields of the transaction data record to generate the encryptedtransaction data record, cause the FPGA device to: select a data recordtemplate from among a plurality of templates based on a format of thetransaction data record; determine one or more data fields of thetransaction data record based on the data record template; and encryptdata values included in the one or more data fields of the transactiondata record using an encryption key stored in the at least one FPGAdevice; and wherein the one or more instructions further cause the atleast one host application processor to: receive the encryptedtransaction data record from the FPGA device via the communication bus,wherein data values included in the one or more data fields of thetransaction data record are encrypted using an encryption key stored inthe FPGA device.
 16. The computer program product of claim 15, whereinthe one or more instructions further cause the at least one processorto: store the encrypted transaction data record in a database based onreceiving the encrypted transaction data record from the FPGA device.17. The computer program product of claim 16, wherein the one or moreinstructions further cause the at least one processor to: receive arequest for the transaction data record; retrieve the encryptedtransaction data record from the database based on the request for thetransaction data record; transmit the encrypted transaction data recordto the FPGA device; and receive a decrypted transaction data record fromthe FPGA device, wherein the data values included in the one or moredata fields of the encrypted transaction data record are decrypted usingan decryption key stored in the FPGA device.
 18. The computer programproduct of claim 15, wherein the encryption key is a first encryptionkey and wherein the one or more instructions further cause the at leastone processor to: receive data associated with a second encryption key;and update a configuration of the FPGA device based on the dataassociated with the second encryption key.